【正文】 e hybrid schemes that don’t fall to these attacks, but the underlying message is the same as it was in 1989: don’t rely on TCP sequence numbers for security. 。 it can lead to correctness failurs as well as to security failures. For that matter, it is necessary to inquire even more closely, even of sequence numbers in a security protocol: what properties are they guaranteed to have? Are they simply packet sequence numbers, or can they be used as, say, the initialization vector for counter mode encryption [35]? Was there a security problem? Yes, there certainly was, as demonstrated graphically a few years later in the Mitnick vs. Shimomura incident. But the architectural flaw was the assumption that TCP sequence numbers had security properties which they did not. (Ironically, I have Heard that analyses of the security properties of sequence numbers were, in fact, done in the classified world— and they concluded that such attacks were not feasible. . . ) The sequence number attack story isn’t over. In 2020, Watson observed that TCP reset packets were honored if the RST bit JCN STATE LPORT FPORT FGNHOST RSEQUENCE SSEQUENCE SENDW 0,1 15 2934 333888001 760807425 4096 6,6 15 0 0,0,0,0 0 0 0 6,5 79 0 0,0,0,0 0 0 0 0,21 23 4119 26,1,0,16 2928942175 701235845 319 0,2 23 1792 192,33,33,115 739613342 660542923 4096 Figure 1. Output from a TOPS20 stat mand. Note the “send” and ”?receive” sequence numbers. The first line in the status display is the session I used to retrieve the data. was set on a packet whose initial sequence number was anywhere within the receive window (see USCERT Technical Cyber Security Alert TA04111A). On modern systems, the receive window is ofen 32K bytes or more, which means that it takes less than 217 trials to generate such a packet via a blind attack. That sounds like a lot of packets, and it’s only a denial of service attack, but for longlived sessions (and in particular for BGP [84] sessions between routers), it’s quite a feasible attack. Furthermore, tearing down a single BGP session has widespread effects on the global Inter routing tables. Defenses Obviously, the key to this attack is the relatively coarse rate of change of the initial sequence number variable on Berkeley systems. The TCP specification requires that this variable be incremented approximately 250,000 times per second。 I will not do so here. I have, where appropriate, noted where my analysis was especially incorrect. I did and do feel that my conclusions were substantially correct. The TCP/IP protocol suite [41, 21] which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols. Some of these flaws exist because hosts rely on IP source address for authentication。 worse yet, the (proprietary) address assignment software on his machine didn’t see any (proprietary) address assignment servers on that work, so it allocated .1—the gatewayy router—to itself. These two situations worried me。 附件 2：外文原文 A Look Back at “Security Problems in the TCP/IP Protocol Suite” Steven M. Bellovin ATamp。i 查看字典詳細(xì)內(nèi)容 事實上，最大的 TCP連接速率是評估現(xiàn)代系統(tǒng)一個重要的指標(biāo)。lǜ sh236。sh237。n de sh236。njiē ji224。n cǎin224。ng li225。ngy236。 h224。 h225。hu224。 另外防御涉及好的日志和報警機(jī)制。另外，可用于 DES 的輸出反饋模式，無需額外的計數(shù)器。一個精細(xì)粒度遞增和一個小的隨機(jī)數(shù)生成器，或者只是一個 32 位發(fā)生器，組合為好。在 6 MIPS的機(jī)器，一剔 4μ 秒，約 25指令。因此，如果能精確測量欺騙程序（和預(yù)測）那個時候，即使 4μ 第二個時鐘不會擊敗這種攻擊。 TCP的規(guī)范要求，這個變量遞增約每秒 25萬次 。這聽起來像一個很大 的數(shù)據(jù)包，它僅僅是一個拒絕服務(wù)攻擊，但對于長期生活會話（尤其是在 BGP的 [84]路由器之間的特別會議），這是相當(dāng)可行的攻擊。 更重要的一點(diǎn)（這是一個 [54]提出），是將 R 公用事業(yè)隱含 依賴于 TCP序列號，并因此對 TCP 會話的正確性，為安全屬性。它沒有列出本機(jī)的開放端口，以及目前所有的連接 。該缺陷（如 [10]所描述以及在莫里斯的文章）當(dāng)時受到很少關(guān)注，直到許多年以后才被關(guān)注。 那么，如何來預(yù)測隨機(jī)的 ISN？在 Berkeley系統(tǒng)中，初始序列號變量遞增一次每秒不斷金額，該金額減半每次連接啟動。這使他欺騙在本地網(wǎng)絡(luò)上可信主機(jī)。 在大多數(shù)情況下，也沒有在這里討論供應(yīng)商特定的協(xié)議。這可能是由于 該機(jī)器的自身保護(hù)機(jī)制的缺陷，也可能是因為該機(jī)器是微電腦，和固有的不安全。在適當(dāng)情況下，我會指出我哪里的分析是錯誤的。我們已經(jīng)安裝了一些這種精確的活動排序探測器，而得以注意到不尋常的行為。當(dāng)事情發(fā)生，我們常常發(fā)現(xiàn)，這是一個路由問題：有人錯誤配置了他們的機(jī)器。 它有助于理解本文來自哪里。錯誤來來去去，大家的經(jīng)營環(huán)境是不同的。 畢業(yè)設(shè)計外文資料翻譯 學(xué) 院： 信息科學(xué)與工程學(xué)院 專 業(yè)： 計算機(jī)科學(xué)與技術(shù)專業(yè) 姓 名： xxx、 學(xué) 號： xxx 外文出處： A Look Back at “Security Problems in the TCP/IP Protocol Suite” 附 件： ； 。我覺得而且仍然覺得，那是正確的做法。作為一般規(guī)則，評注跟隨其所討論的章節(jié)。這意味著該路由軟件（我們使用 Berkeley的路由）是可以訪問系統(tǒng)管理員的。當(dāng)他試圖用統(tǒng)一慣例盜取從各研究機(jī)密碼文件時他被發(fā)現(xiàn)了。當(dāng)時，我選擇不公布詳細(xì)的反駁，在這里我也不會這樣做。 當(dāng)描述這種攻擊，我們的基本假設(shè)是，攻擊者已經(jīng)或多或少完成了連接到互聯(lián)網(wǎng)的一些機(jī)器的控制權(quán)。我們只討論這樣的問題，只要他們可能是協(xié)助或協(xié)議問題。簡單地說，他使用 TCP序列號預(yù)測興建而沒有從服務(wù)器收到任何回應(yīng)一個 TCP包序列。如果 X是一個連接上執(zhí)行命令，允許執(zhí)行（即伯克利的 rsh服務(wù)器）這種攻擊，惡意命令可以被執(zhí)行。盡管 水浸 能夠起作用沒有明確說明它，我預(yù)料到拒絕服務(wù)攻擊始于 1996年， 莫里斯實際上利用了 Berkeley內(nèi)核，用更少的錯誤數(shù)據(jù)包，實現(xiàn)了他的目標(biāo)。 stat的伯克利的實施是危險的，但不是我這里給的原因。實際產(chǎn)量見圖 1。在現(xiàn)代系統(tǒng)中，接收窗口是奧芬 32K字節(jié)以上，這意味著它只需不到 217試驗，通過這種盲目的攻擊產(chǎn)生這樣的數(shù)據(jù)包。 防御 顯然，這種攻擊的關(guān)鍵是在上大學(xué)伯克利分校系統(tǒng)的初始序列號變量的變化率相對粗糙。但這個數(shù)字恰恰是與 X和 S往返時間。事實上，一個新的請求出現(xiàn)時我們確實進(jìn)行了一些處理，而可變性量在此處理中是至關(guān)重要的。必須小心使用足夠的位，如果說只有低 8位隨機(jī)挑選的，而增量粒度較粗，入侵者的工作因素，只是乘以 256。數(shù)據(jù)加密標(biāo)準(zhǔn)[73]的電子密碼本模式 [74]是為 iSNS的來源有吸引力的選擇作為輸入簡單 的計數(shù)器。 1倍 MIPS處理器已有報道 [12]。 朗讀 Gāi j236。n li232。li232。i RFC791[81] d236。ng zhǔjī, yuǎnch233。i guǎngf224。i TCP li225。ngxi224。n gu242。njiē s249。nd224。另外值得一提的是建 議，入侵檢測系統(tǒng)可以發(fā)揮的作用：他們可以提醒你由于某些原因你無法招架的攻擊。 we generally stuck a second Ether board into a VAX or a Sun and used it to do the routing. This mean that the routing software (we used Berkeley’s routed) was accessible to system administrators. And when things broke, we often discovered that it was a routing problem: someone had misconfigured their machine. Once, we found that someone had plugged a new workstation into the Murray Hill backbone, rather than into his department’s wo